Identity Proofing of Citizens Accessing Government Systems

MaryUSMC commented 4 years ago

Description of Issue:

I did not see any use cases for citizens who access government systems. Examples could be:

accessing tax information
accessing SSA information
a parent filling out FAFSA student financial aid application
an external partner required to provide information to a regulator, yet that partner is not an employee, contractor, or representative of the government and the most suitable description would be consumer, customer, or regulated entity.

Details of Issue:

What are the requirements for non-government entities to access government systems if the workflow determines IAL2 level? Can we enforce security requirements multifactor? If so, how do we identity proof thousands of citizens in accordance with NIST 800-63-3 / FIPS 199?

References (Docs, Links, Files):

NIST 800-63-3 / FIPS 199

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

maxwellfunk commented 3 years ago

Government to Citizen transactions is outside of scope for the FICAM architecture playbook specifically; however, issue will remain open and defered to future playbooks such as Single Sign On/Federation.

MaryUSMC commented 1 year ago

What about Government to business, like in the case of a regulator?

maxwellfunk commented 1 year ago

@MaryUSMC while NIST has not certified any IAL2 providers directly, login.gov has tried to implement their accompanying conformance criteria (SP 800-63-3 conformance criteria). Login.gov is conducting several steps of verification to include email, phone number, and identity document data verification, and they have begun to pilot in person proofing at some USPS locations in the greater Washington DC area.

https://login.gov/help/verify-your-identity/how-to-verify-your-identity/

login.gov also has the ability to act as a federation service providing credential management services to users (e.g., id/password + OPT codes) and subsequently authenticating individuals within your scope and then passing federation assertions to relying party applications.

Although NIST is not accrediting any organizations to their standards, there is the Kantara Initiative which is a non-profit that conducts their own assessment and accreditation using 800-63 as their baseline. They have been working with some partners to conduct these assessments for some time, so you will notice that some of their terminology aligns to older revisions of 800-63 (e.g. LOA vs IAL/AAL/FAL).

https://kantarainitiative.org/trust-status-list/ (you may note that login.gov is still in the applicant phase)

GSA / idmanagement.gov